2010-09-17 09:06:20
ASA VPN NAT
I spent the last week fighting our ASA. We have an old VPN 3000 Concentrator and I am slowly moving all of the tunnels to our ASA. But I needed to to do some NAT over a few VPN tunnels and eventually had to call for help. Since I am not the only person trying to do this, and I had little luck finding instructions, I am writing this post. Ironically, once you know how to do it, it’s simple and makes sense. Probably why I could never find someone who had taken the time to document the process.

Notice the pointer in this screenshot. If you are going to NAT over the VPN tunnel, make sure this is not checked. You can delete it later, all it does is make a NAT for you, we will make our own policy NAT instead.

3. Static Policy NAT
Although it is not on the diagram, I am adding two NAT rules to the ASA:
192.168.181.2 –> 192.168.81.2 if going to 172.22.108.201
192.168.181.3 –> 192.168.81.3 if going to 172.22.108.201